How to access a REST endpoint on the deployment se...

azollmanflatiro · ‎12-13-2016

I'm trying to populate a lookup table with information about my deployment clients. The only place I've found to get that information is from the deployment server itself. The following rest command returns the data I want, but it only works when I run it on the deployment server (which is not a search head peer, so doesn't have access to the same lookup tables for |outputlookup).

If I specify "splunk_server=master" in the search, and run it on my normal search head cluster, I get no results back.

Is there a way to make the search run on my normal search heads and query against the deployment server? Or, alternatively, run on the master and write against a lookup table (kvstore, if it matters) on my search head cluster?

| rest splunk_server=local  /services/deployment/server/clients 
|eval serverClass="" 
|foreach *.serverclasses [eval serverClass=mvdedup(mvappend(serverClass,'< < FIELD > >'))]
|rename hostname as sourceHost ip as sourceIp 
|table sourceHost,sourceIp,serverClass

somesoni2 · ‎12-13-2016

The | rest command only works for local server (current search head) and all search peers (Indexer/Peers that have been setup in distributed search). So to access deployment server Rest Api endpoints, add your deployment server as the search peer (Settings->Distributed search-> Search peers)

How to access a REST endpoint on the deployment server from a search head cluster?

Meet Duke Cyberwalker | A hero’s journey with Splunk

The Future of Splunk Search is Here - See What’s New!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today